Bootstrap

Ansible - Copy an ansible vault encrypted file to managed nodes

by Jeremy Canfield | Updated: December 20 2023 | Ansible articles

If you are not familiar with the Ansible Vault, check out my article Getting Started with the Ansible Vault.

Generally speaking, when you have sensitive data that needs to be encrypted, there are two main approaches.

Store the encrypted data in a variable
Copy the encrypted file to each managed node

By and far, option 1 is definitely preferred. However, if for some reason option 1 is not feasible, this article describes how to copy an encrypted file to each managed node.

Let's say you used the ansible-vault create command to create a file named passwords.yml that contains sensitive data, perhaps something like this.

test_password: itsasecret
prod_password: hGn4!kD98A

Attempting to view the passwords.yml file using the cat command will display something like this. The ansible-vault view command can be used to view the content of the passwords.yml file.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

Here is an example of how passwords.yml could be used with the copy module.

---
- hosts: all
  tasks:
    - name: copy passwords.yml to the /usr/local/secure directory
      copy:
        src: passwords.yml
        dest: /usr/local/secure/passwords.yml
        owner: root
        group: root
        mode: 0600
...

Let's say you issue the ansible-playbook command like this.

ansible-playbook foo.yml

The following should be returned.

TASK [copy passwords.yml to the /usr/local/secure directory] 
fatal: [server1.example.com]: FAILED! => {"msg": "A vault password or secret must be specified to decrypt passwords.yml"}

Let's append the password that was used to encrypt passwords.yml to a file such as .vault_password.txt.

echo "itsasecret" > .vault_password.txt

And then update .vault_password.txt so that only the owner of the .vault_password.txt file can read and write to the .vault_password.txt file.

chmod 0600 .vault_password.txt

The --vault-password-file command line option can then be included on the command line.

ansible-playbook foo.yml --vault-password-file .vault_password.txt

On each managed node that passwords.yml was copied to, the /usr/local/secure/passwords.yml file will be unencrypted, so that the /usr/local/secure/passwords.yml file contains the following.

test_password: itsasecret
prod_password: hGn4!kD98A

Did you find this article helpful?

If so, consider buying me a coffee over at

Comments

February 10 2023 by prashanth

i want to copy my encrypted vault file from local to remote server and i want the file to remain encrypted in remote host as well. what modules and commands should i use.

February 10 2023 by Jeremy (moderator)

The copy module can be used to copy a file from one system to another system and the file will remain encrypted since the copy module does not change or modify the file, it's just copying from one system to another. http://www.freekb.net/Article?id=759

Did you find this article helpful?

Comments

Add a Comment